OgoneSYS

'custom' messages

Discussion created by OgoneSYS on Aug 22, 2013
Latest reply on Sep 23, 2013 by RSA Admin

Dears,

 

I would like to ask how 'tough' it is to create a 'custom' message in Envision ?

(I'm totally new with Envision)

 

My problem is related to F5 LTM.

Envision comes with plenty of predefined messages but it does not recognize the main one we need to trap.

I tried to create new messages based for example on the two alerts below

 

- Alerts 347

Pattern: <@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)><@event_description: Pool has available members>{ <hostname> <agent>[<process_id>]: <fld1>:<fld2>: Pool | <hostname> <severity> <agent>[<process_id>]: <fld1>:<fld2>: Pool } <pool_name> now has available members

Message from F5 Aug 22 15:03:18 P01LBF01 err tmm[9597]: 01010221:3: Pool /Common/pool_p01_isp2_tiscali_witness now has available members

 

- Alerts 62

Pattern: <@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)><@event_description: No members available for pool><hostname> <agent>[<process_id>]: <fld1>:<fld2>: No members available for pool <pool_name>

Message from F5: Aug 22 15:03:15 P01LBF01 err tmm[9597]: 01010028:3: No members available for pool /Common/pool_p01_isp2_tiscali_witness

 

 

But so far my 'custom messages' are not trapped by Envision:

- Alert 400 (node)

The regexp I did:

<@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)><@event_description: Node monitor status>{ <hostname> <agent>[<process_id>]: <fld1>:<fld2>: Node | <hostname> <severity> <agent>[<process_id>]: <fld1>:<fld2>: Node } <node_name> address <ip_address_> monitor status <change_new>

The messages I need to trap (two examples):

Aug 21 15:19:56 P02LBF02 notice mcpd[6578]: 01070640:5: Node /Common/VNDMZFE32 address 10.1.9.132 monitor status down. [ was up for 23hrs:46mins:25sec ]

Aug 21 15:20:11 P02LBF02 notice mcpd[6578]: 01070728:5: Node /Common/VNDMZFE32 address 10.1.9.132 monitor status up. [ was down for 0hr:0min:15sec ]

 

- Alert 401 (pool member)

The regexp I did:

 

The messages I need to trap (two examples):

Aug 21 19:24:06 P01LBF01 notice mcpd[5453]: 01070638:5: Pool /Common/POOL_P01-PROD-FE-HTTPS-GENERIC-ISP2 member /Common/IZDMZFE34:81 monitor status node down. [ was up for 24hrs:5mins:55sec ]

Aug 21 19:24:13 P01LBF02 notice mcpd[5171]: 01070727:5: Pool /Common/POOL_P01-PROD-FE-HTTPS-GENERIC-ISP2 member /Common/IZDMZFE34:81 monitor status up. [ was node down for 0hr:0min:15sec ]

 

 

 

Could someone review what I try to achieve and explain if I am wrong somewhere.

Or point me to a documentation/examples I can look at ?

I must admit I am a bit lost in Envision. I have been able to understand how view, messages... work but currently I have no clue on where to look further.

 

thanks a lot

best regards,

 

--

Benoit

Outcomes